commit 8a4175cb507789fd34f9176d087d583b94a4df35
author Damien Neil <dneil@google.com> Mon Jan 10 11:03:12 2022 -0800
committer Damien Neil <dneil@google.com> Thu Feb 17 17:33:35 2022 +0000
tree c554d95f9b886be491a9c11ad10985bc1e3fc785
parent 01432bf2ebeefba4c501655b26131bdea43a9f77

reports: add GO-2021-0239 for CVE-2021-33196

Fixes golang/vulndb#239

Change-Id: Id0b7dd2d19a52ec89ecaa888720c45b871871338
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377378
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

reports/GO-2021-0239.yaml

diff --git a/reports/GO-2021-0239.yaml b/reports/GO-2021-0239.yaml
new file mode 100644
index 0000000..78747ff
--- /dev/null
+++ b/reports/GO-2021-0239.yaml
@@ -0,0 +1,30 @@
+module: std
+package: net
+versions:
+- fixed: go1.15.13
+- fixed: go1.16.5
+- fixed: go1.17
+description: |
+  The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
+  functions and their respective methods on the Resolver type may
+  return arbitrary values retrieved from DNS which do not follow
+  the established RFC 1035 rules for domain names. If these names
+  are used without further sanitization, for instance unsafely
+  included in HTML, they may allow for injection of unexpected
+  content. Note that LookupTXT may still return arbitrary values
+  that could require sanitization before further use.
+cves:
+- CVE-2021-33195
+credit: Philipp Jeitner and Haya Shulman from Fraunhofer SIT
+symbols:
+- Resolver.LookupAddr
+- Resolver.LookupCNAME
+- Resolver.LookupMX
+- Resolver.LookupNS
+- Resolver.LookupSRV
+links:
+  pr: https://go.dev/cl/320949
+  commit: https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2
+  context:
+  - https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
+  - https://go.dev/issue/46241